Companies spend a lot of time and money to protect their data from hackers, thieves, and other malfeasants — and for good reason. But when it comes to the causes of data breaches in health care, don't forget human goof-ups. According to the latest findings from Ponemon Institute's 2011 “Benchmark Study on Patient Privacy and Data Security,” human mistakes account for nearly half of data breaches involving protected health information (PHI).
If only there was a firewall to block out stupidity, carelessness and just dumb luck. Our experience in data breach prevention and response shows that human frailty is as prevalent a cause as malicious intent, or even more so. Here are a few real-life data breach "whoopsidaisies":
- Garage sale bargains: patient data files. Garage sales are great places for a deal. Sift through the headless Barbie dolls and vinyl records, and you might discover a treasure, as did one customer who purchased a filing cabinet chock-full of personal data, including Social Security numbers and home addresses. Thankfully, this bargain shopper left the contents safely with the owner to destroy. The truth is, many old file cabinets may have data that needs to be destroyed – could it be yours?
- Leaving personally identifiable information (PII) in a car. One organization held an annual drill to assess its preparedness in the face of a data breach. Instead of using test data, an employee transported actual data tapes offsite that contained client accounts payable information and left them overnight in his car. The thief — probably looking for a CD player — got details on every payout ever made to people who had sued the company.
- Lost keychain with a flash drive. Flash drives are great portable devices, but they don't belong on key rings — especially if you are a health care employee who transports protected health information (PHI). The data on that drive is probably more valuable than your Honda.
- Private patient records spill from a shredding truck. A shredding truck containing an organization's patient records, with PHI, overturned while driving on a street in small-town USA. Paper records spilled out and flew all over town and into the hands of who-knows-who.
The irony about these true stories is that, for the most part, organizations try to do the right thing and they still experience data breaches. Highlighting the mistakes may give us a chuckle, but they can also be a learning experience. Our best advice? Plan for the worst, hope for the best.
Christine Arevalo is the director of health care identity management at ID Experts, a consulting firm specializing in comprehensive data breach solutions.
